OpenID4VCI explained
Is the OpenID standard that defines how digital wallets obtain verifiable credentials from issuers based upon OAuth 2.0 flows. It enables interoperable, privacy-preserving credential issuance through standardized endpoints, authentication, and proof mechanisms, ensuring trust and compatibility across digital identity ecosystems.
Flows
OpenID4VCI conceptually consists of two flows for Credential Issuance. The Authorized code flow and the Pre-authorized code flow.
Authorized code flow
In authorization code flow, a verifier requests a presentation from a wallet by redirecting the user to an authorization endpoint. The user consents and authenticates in the wallet, which returns an authorization code to the verifier. The verifier exchanges this code for a verifiable presentation via the token endpoint.
Requires:
- The credential offer specifies authorization code flow, or
- Wallet/Caller decides to use this flow
Authorization Code Flow state transition diagram
Pre-authorized code flow
The pre-authorized code flow allows a wallet or client to obtain an access token without user interaction at authorization time. The issuer provides a pre-authorized code (and optionally a transaction code) that the wallet exchanges directly with the token endpoint for an access token, enabling streamlined, user-friendly credential issuance.
Requires:
- The credential offer specifies pre-authorized code flow or
- Wallet/caller decided to use this flow
Steps:
- Using the wallet exchanges the pre-authorized code
- Wallet will place an adequate request the token endpoint of the credential issuer
- Wallet will receive token endpoint response and map it to a
AuthorizedRequest